When architecting a cybersecurity risk program, a challenge that is often encountered is how to organize the wide variety of risk scenarios into reporting that makes sense to those responsible for managing it. Reports should be tailored with the intent of the information being useful at the appropriate levels.
This blog post assumes that your organization has already moved towards effective cyber risk management, recognizing subjective red-yellow-green, high-medium-low qualitative assessments and heat maps are not adequate to make well-informed risk management decisions. Duly noted, now we can focus on a summary of the assessment process and then stratification into useful reporting levels.
When working with RiskLens customers, I have noted two common levels of operations and reporting:
Steve Tabacek is Co-Founder and President of RiskLens
Also by Steve:
Tactical Cybersecurity Risk Reporting
Daily operations risk scenarios are introduced into the company constantly through multiple sources. Within cybersecurity and technology risk, the illustration below provides a non-all-inclusive common pipeline of activity which, at inception may or may not represent risk.
Common sources include audit findings, policy exceptions, control variances, incident management, threat observations, or project evaluations. The pressure valve within this pipeline represents the person or department responsible for managing the intake. This pipeline of observations, issues, or incidents needs to be evaluated to determine if the scenarios represent risk to the organization. Beyond the pressure valve, cyber and tech risk analysts reformulate this incoming pipeline of issues into meaningful risk scenarios. Each risk scenario is scoped to include one or more assets at risk, threat agent(s), and loss effect(s). Reporting at this level is normally structured to enable well informed tactical decisions like policy exceptions, variances to pre-established acceptable conditions, or mitigation options and prioritization.
Below is an example of a single audit finding scenario analysis reporting showing unacceptable control efficacy (with a $17.6M most likely loss exposure) and compliant control efficacy (at $0 most likely loss exposure).
The illustration below is an example of an aggregated analysis enabling well-informed project prioritization. It is a side-by-side comparison of four project analyses showing loss exposure and estimated mitigation cost. Each scenario can be evaluated to determine the best ROI for mitigation resources.
Strategic ERM, C-Suite, & Board Reporting
This is not a reformulation of daily operational risk reporting. Instead, it is a top-down, big-picture focus on cybersecurity risk that could materially impact the organization. Senior leadership already has significant experience determining organization risk appetite and tolerance levels for strategic, compliance, operational, financial, and reputational risk. They want to make effective comparisons between those forms of risk and cybersecurity risk.
Instead of re-purposing tactical cybersecurity risk reporting, a CISO or CTRO can efficiently guide the risk team to identify the most significant confidentiality, integrity, and availability scenarios for each department or business unit. The graphic below illustrates a pipeline of top risk scenarios for each business unit. The pressure gauge represents the concentration of assessments that need to be periodically updated to ensure risk scenarios are managed over time (quarter/quarter, and year/year). Reporting is structured much differently than day-to-day tactical operations. Here, reports are focused on strategic, big-picture reports helping ERM, C-Suite, and Boards answer the “so what” question. “How much material risk do we have, and what are we doing about it.”
The Board, C-Suite, and ERM level will be focused on KRI’s, specifically measurement determining probability, frequency and magnitude of events that exceed the organization's risk appetite, and have a probability of an event where its consequence will exceed the organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful. KPI’s are performance indicators/gauges and measurements the organization uses to understand how well business units are performing against their risk management goals. If cybersecurity reports identify material risk, expect the Board, C-Suite, and ERM to ask for a strategic mitigation strategy and timeline for reducing risk.
The illustration below is an example of an organizations top-7 risk scenarios. Very quickly, one understands how much risk is within pre-established tolerance and materiality thresholds.
In summary, when it comes to cybersecurity reporting, know your audience. Tactical cybersecurity reporting on analysis results like control efficacy degradation, variance to policies, and pre/post mitigation analysis are extremely useful to those responsible for directly managing cybersecurity and technology risk, but generally too tactical for ERM, C-Suite, and Boards. Senior executives and Boards focus on big-picture strategic issues.
For further reading:
Getting the Right Cybersecurity Metrics and Reports for your Board by Jack Jones and James Lam in NACD Board Talk
Building a Cyber Risk Report Your Board Will Love by Nick Sanna in Infosecurity Magazine.